Spyware is one category of malicious software, also referred to as malware, that intercepts or takes partial control of a computer's operation without the user's informed consent. Although the term “spyware” taken literally suggests software that surreptitiously monitors a user, the term has come to refer broadly to software that subverts the computer's operation for the benefit of a third party. Spyware differs from other types of malware in that it does not normally self-replicate. Typical tactics taken by spyware for commercial gain include delivery of unsolicited pop-up advertisements, theft of personal information, monitoring of Web-browsing activity, and routing of HTTP requests to advertising sites.
Spyware does not spread in the same manner as other malware; generally, a spyware infected system does not attempt to transmit the spyware to other computers. Instead, spyware gets on a system through deception of the user or exploitation of software vulnerabilities, such as security holes in Web browsers.
The most direct and common route of spyware getting on a computer is by having an unsuspecting user installing it. Spyware often bundles itself with other desirable software or is installed by itself but disguised as software, such as a utility, that the user is interested in and wants. The “bundled” form of entry often occurs with shareware or other downloadable software. The unbundled deceptive or disguised form of entry—the so-called Trojan Horse—often comes in the form of a useful utility or a helpful software agent (e.g., a Web accelerator or “price comparator” online shopping agent).
Another way spyware can make it on a computer is by the spyware or a scouting-type program manipulating security features on a computer's Web browser that are designed to prevent unwanted installations and, through this manipulation, taking advantage of security holes. For example, Web browsers such as Internet Explorer, are designed to prevent Web sites from initiating downloads that are not requested or initiated by the user. However, spyware authors can trick users into initiating a download (e.g., a pop-up ad may be made to appear like a standard Windows dialog box) or trick them into beginning a download regardless of what action the user takes, such as clicking on “No”, “Do Not Accept”, or “Close Window”. Spyware authors can take advantage of other security holes in a Web browser or other software. For example, when a user navigates a Web page controlled by a spyware author, the page may contain software that attacks the browser and forces the download and installation of spyware, often in the form of Browser Helper Object (“BHO”) plug-ins. Internet Explorer in particular also serves as a point of attachment for this type of software which facilitates installation as BHOs. Finally, in less common cases, spyware is delivered as the payload of a WORM or other form of malware.
Various methods have been developed to detect installation of spyware, whereby the installation occurs via the tactics described above. However, these methods have not been able to adequately block the installation of spyware. For example, one method of detecting spyware, and malware in general, is using a predefined pattern database. Such a predefined database is unable to detect new spyware. Another method is using predefined rules for detecting unknown spyware (which take into account characteristics of a portable executable and an imported API). However, the rules have to be entered manually whenever a new spyware program is detected and thus are difficult or impractical to maintain. In addition, since the number of rules is limited, the method is unable to achieve both a high accurate detection rate and, at the same time, a low false-positive detection rate.
Another method that has been suggested is directly alerting the user of software downloads that can potentially or actually lead to the downloading of spyware, such as the downloading of BHOs. In this approach, the user is informed of the potential danger and the final decision is left to the user. That is, the user must make the ultimate determination of whether the software being downloaded is spyware and act accordingly. This is clearly impractical and burdensome for the vast majority of users who likely do not have the technical knowledge or are not sufficiently tech-savvy to further investigate on their own.
Thus, it would be desirable to have a program that executes on a computer that effectively detects the installation of spyware and prevents the installation, and is able to do both without human intervention and regardless of the manner in which the spyware is being installed.